Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
'There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. This detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Microsoft Entra ID Protection in order to show if the user conducting the action has any associ
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | AzureDevOpsAuditing |
| ID | 155e9134-d5ad-4a6f-88f3-99c220040b66 |
| Severity | Medium |
| Status | Available |
| Kind | Scheduled |
| Tactics | Execution, DefenseEvasion |
| Techniques | T1578, T1569 |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
ADOAuditLogs_CL |
✓ | ✓ | ✓ | |
AzureDevOpsAuditing |
✓ | ✗ | ? | |
SecurityAlert |
ProviderName == "IPC" |
✓ | ✗ | ✓ |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊